That's the message from Microsoft, which on Jan. 12 ceased support for not just the embedded operating system - although expensive "extended support" contracts are still available for two more years - as well as also older versions of its aging IE browser. "Only the most current version of Internet Explorer available for a supported operating system will receive technical supports and security updates," Microsoft says. "Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10."

How many people are at risk? It's tough to know exactly how many devices are still running Windows XP Embedded SP3 - or earlier. Originally released in 2002, it has been installed on numerous types of stand-alone systems - including ATMs, kiosks and point-of-sale devices - that many organizations do not update on a frequent basis.

Likewise, it's tough to know how many people now use a version of IE that is no longer getting patches. Related estimates vary anywhere from 100 million to 300 million.

But NetMarketShare, which tracks browser usage, estimates that as of December 2015, 47 percent of all browser users employ IE. It says more than half of all IE users were already on version 11, while 3 percent were using the newer Edge browser that began shipping with Windows 10. The second most-popular Microsoft browser, however, remains IE 8, which was released in 2009, followed by IE 9, which was released in 2011. Both are no longer getting patched, yet have known vulnerabilities.

Microsoft now supports just IE11 and Edge. That's only 3/5 of current IE users.
Source: NetMarketShare, Dec. 2015 pic.twitter.com/CkJ1zUygdD

The perils of continuing to use outdated IE is that it becomes a hack magnet for cybercriminals gunning for large amounts of PCs that they can quickly and easily exploit, using automated crimeware toolkits (see Nuke Old Java, FTC Tells Oracle). Such toolkits can be used to "weaponize" otherwise legitimate websites so they launch drive-by attacks that target known browser flaws. Some toolkits can also be used to generate malware that's designed to find and exploit known flaws on PCs.

Furthermore, cybercriminals who reverse-engineer Microsoft's latest batch of security fixes, released Jan. 12, will have new tricks for exploiting IE 10 and earlier. That's because Microsoft's security update patches a remote-code execution flaw in all versions of IE that's rated "critical," meaning that an attacker could remotely exploit it to take full control of a system.

Silverlight Stings

Another flaw to beware - also patched Jan. 12 - is a bug in the Web browser plug-in Silverlight, which would allow attackers to remotely exploit any Windows and Mac OS X systems on which it's installed. "In a web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user," Microsoft says. "If a user is logged on with administrative user rights, an attacker could take complete control of the affected system."

The latest version - Silverlight 5.1.41212.0 - patches the flaw; use Microsoft's Silverlight page to see if the plug-in is installed on your system.

Silverlight, which was launched as a competitor to Flash, continues to be supported by IE, Mozilla Firefox and Apple Safari (see 2016 Resolution: Ditch Flash). Google, however, dropped support for Silverlight in April 2015, with version 42 of its browser.

Hacking Team Leak Legacy

The Silverlight flaw was discovered by Kaspersky Lab, which learned of the existence of the vulnerability - although no technical details - thanks to the hacker known as "Phineas Fisher," who hacked into Italian spyware vendor Hacking Team and in July 2015 released 400 GB of corporate data, including emails and code (see Hacking Team Dump: Windows Zero Day).

The leaked emails, Ars Technica reported, revealed that Hacking Team had bought a zero-day Flash exploit from a 33-year-old Russian who identified himself as Moscow-based Vitaliy Toropov, and who also offered to sell it the zero-day Silverlight exploit, which he said he'd crafted 2.5 years before (see Hacking Team Zero-Day Attack Hits Flash).

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;